Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 26 Dec 2016 13:05:49 -0500
From: Yannick Warnier <ywarnier@...milo.org>
To: oss-security@...ts.openwall.com
Cc: security@...milo.org, security@...pal.org, peter@...e-magic.net
Subject: Re: [security] PHPMailer < 5.2.18 Remote Code
 Execution [CVE-2016-10033]

Hi Peter,

The Chamilo team will be analyzing this in the next 2 days and likely 
provide a patch to our community. Although PHPMailer is indeed not used 
anymore in recent versions, we still have a large number of portals 
around using the previous version.

Thanks Drupal team for the PSA text, we'll probably use part of it as 
inspiration (unless that's not OK - just let me know).

Thank you for your great effort in looking out for us and letting us 
know. Most appreciated.

-- 

Yannick Warnier
Project leader
Chamilo


Le 26/12/16 à 12:57, Michael Hess a écrit :
> The Drupal Security team is going to release a PSA on this topic, we
> don't normally do it, but given the holiday we will issue PSA-004, in
> about 30 min.
>
> The text is below.
>
> Thanks,
> Michael on behalf of the Drupal Security Team.
>
>
>
> Posted by Drupal Security Team on December 26, 2016 at 12:50pm
>
> Advisory ID: DRUPAL-SA-PSA-2016-004
> Project: PHPMailer (third-party library)
> Version: 7.x, 8.x
> Date: 2016-December-26
> Security risk: 23/25 (Highly Critical)
> AC:None/A:User/CI:All/II:All/E:Exploit/TD:All
> Vulnerability: Arbitrary PHP code execution
>
> Description
>
> The PHPMailer and SMTP modules (and maybe others) add support for
> sending e-mails using the 3rd party PHPMailer library.
>
> In general the Drupal project does not create advisories for 3rd party
> libraries. Drupal site maintainers should pay attention to the
> notifications provided by those 3rd party libraries as outlined in
> PSA-2011-002 - External libraries and plugins. However, given the
> extreme criticality of this issue and the timing of its release we are
> issuing a Public Service Announcement to alert potentially affected
> Drupal site maintainers.
>
> CVE identifier(s) issued
>
> CVE-2016-10033
>
> Versions affected
>
> All versions of the external PHPMailer library < 5.2.18.
>
> Drupal core is not affected. If you do not use the contributed
> PHPMailer third party library, there is nothing you need to do.
>
> Solution
>
> Upgrade to the newest version of the phpmailler library.
> https://github.com/PHPMailer/PHPMailer
>
> Reported by
>
> Dawid Golunski
>
> Contact and More Information
>
> The Drupal security team can be reached at security at drupal.org or
> via the contact form at https://www.drupal.org/contact.
>
> Learn more about the Drupal Security team and their policies, writing
> secure code for Drupal, andsecuring your site.
>
> Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
>
>
>
> On Mon, Dec 26, 2016 at 9:55 AM, Peter Bex <peter@...e-magic.net> wrote:
>> On Mon, Dec 26, 2016 at 03:46:50PM +0100, Hanno Böck wrote:
>>> Hi,
>>>
>>> Given I had plenty of time on the train to 33c3 I did a quick
>>> lookaround on what contains PHPMailer. As the details of the vuln
>>> aren't clear yet this doesn't necessarily mean they're vulnerable, just
>>> that they ship the affected code.
>>
>> It looks like the vulnerability is due to a missing escaping of shell
>> arguments in the sender's e-mail address.  This commit seems to be
>> the one that fixes the bug:
>> https://github.com/PHPMailer/PHPMailer/commit/4835657cd639fbd09afd33307cef164edf807cdc#diff-ace81e501931d8763b49f2410cf3094dR1449
>>
>> So it depends on whether a web form allows one to control the "from"
>> mail address or not.
>>
>>> Drupal doesn't contain PHPMailer, although mentioned in the advisory.
>>> But there are probably plugins and extensions using it. I also saw it
>>> used in some wordpress themes.
>>
>> I noticed this Drupal module: https://www.drupal.org/project/phpmailer
>> which has some sort of integration with the widely used mimemail module.
>> The linked module http://drupal.org/project/smtp also uses PHPMailer.
>> There are undoubtedly more modules that do.
>>
>> The LCMS system Chamilo also uses PHPMailer for sending mails internally.
>>
>> Cheers,
>> Peter Bex
>>
>> --
>> [ Security | https://lists.drupal.org/mailman/listinfo/security ]
>> [Security team mailing list management and scheduling is documented here | https://security.drupal.org/handling-list-emails]
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.